Newsletter

Newsletter

In the December 2018 edition of the EDPS Newsletter we cover the introduction of the new Regulation 2018/1725, what we can learn from machine learning, and look back on the 40th International Conference of Data Protection and Privacy Commissioners.

The adoption of new data protection rules for the EU institutions and bodies represents another vital step forward in the development of a comprehensive EU framework for data protection in the digital age, the European Data Protection Supervisor (EDPS) said on 11 December 2018.

Giovanni Buttarelli, EDPS, said: “The new Regulation, which applies from 11 December 2018, brings the data protection rules for the EU institutions and bodies (EUI) in line with the standards imposed on other organisations and businesses by the General Data Protection Regulation (GDPR). Under the new rules, which we may refer to as the EUI-GDPR, the EDPS remains responsible for ensuring the effective protection of individuals’ fundamental rights and freedoms whenever their personal data is processed by the EU institutions or on their behalf, whether this is to ensure EU markets work better, to evaluate and supervise medicines in the EU or to fight against terrorism and organised crime. This role includes promoting public awareness and understanding of the risks to people’s rights and freedoms in relation to the processing of personal data, as well as increased cooperation with national data protection authorities.The EU institutions are expected to lead by example in applying the new rules and ensure compliance from day one onwards”.

Looking back on the Olympic Games of Data Protection

We are delighted to report that the 40th International Conference of Data Protection and Privacy Professionals was a resounding success. A big thank you to everyone that took part! The public session of the week-long event, at which we were Debating Ethics: Dignity and Respect in Data Driven Life, brought together individuals from around the globe interested in the societal effect of the digital revolution.

Take a look back at some of the things that made this year’s event so special:

A new Regulation is born!

The EDPS welcomed 100 Data Protection Officers (DPOs) and assistant DPOs to Brussels on 12 December 2018 for the second EDPS-DPO meeting of the year, just one day after the long awaited Regulation (EU) 2018/1725 became fully applicable. The new Regulation brings the data protection rules applicable to the EU institutions in line with the rules for all companies and organisations operating in the EU, set out in the General Data Protection Regulation(GDPR).

With many things set to change under the new rules, the meeting was a chance to reflect on the new challenges we face. Assistant Supervisor Wojciech Wiewiórowski opened the meeting, by referring to the importance the new rules place on the principle of accountability. Simple compliance is no longer sufficient. EU institutions must now also ensure that they are able to demonstrate their compliance.

He also highlighted the role of the DPO as the guardian of the data protection rules within their institution. The processing of personal data, even when done lawfully, can put the rights and freedoms of individuals at risk. Data protection rules minimise these risks and it is the role of the EDPS and DPOs to identify, understand and explain these risks to those responsible for handling personal data in our institutions, known as controllers.

The day’s activities were planned around a series of case studies aimed at providing the DPOs with hands-on experience of how to deal with some of the new challenges they face under the new Regulation. These included the restriction of individuals' rights under the new rules, data breach notifications and joint controllership. We wanted to encourage the DPOs to see the new rules not as a burden, but rather as a reference tool on how to ensure respect for the rights of those individuals whose personal data the EU institutions use on a daily basis to carry out their tasks and responsibilities.

Supervising Eurojust: a new cooperation framework

The European Union Agency for Criminal Justice Cooperation (Eurojust) was set up to reinforce the fight against serious organised crime within the European Union and to promote coordination and cooperation between national investigating and prosecuting authorities dealing with these crimes.

On 6 November 2018, the European Parliament and the Council adopted a new legal framework for Eurojust. It includes new rules on data protection, which task the EDPS with supervising the processing of personal data at Eurojust. It also provides for cooperation between the EDPS and the national Data Protection Authorities (DPAs) within the framework of the European Data Protection Board (EDPB). Aimed at ensuring coordinated supervision, this cooperation mechanism would be used to address any issue requiring national involvement. We will therefore work with the EDPB over the coming year to ensure that the mechanism facilitates comprehensive and effective cooperation in the interest of protecting individuals’ data protection rights.

The EDPS will take over responsibility for supervising data processing activities at Eurojust from 12 December 2019. This transition period will allow us to ensure a consistent supervision regime in the area of freedom, security and justice, in line with the approach taken in our supervision of Europol.

Cross-border investigations of a different kind

Ever since the GDPR became enforceable on 25 May 2018, some EU institutions have experienced problems collecting required information from certain companies. These companies claim that the GDPR prevents them from providing the EU institutions with this data. Some of the institutions and bodies affected by this problem include:

the European Commission’s Directorate General for Competition (DG COMP), which works, among other things, on anti-trust matters;

the European Anti-Fraud Office (OLAF), which carries out external investigations on suspected fraud;

the European Investment Bank (EIB) and European Investment Fund (EIF), which need to audit funded projects.

In response to this problem, we made sure that the EU institutions concerned were fully informed about the law and how it is relevant to their work.

The collection of data necessary for fulfilling the task assigned to them by law is legal, and not restricted by the GDPR. The relevant EU institution or body is obliged to inform the individual concerned that they plan to process their personal data, but there are also exceptions to this rule, particularly where informing the individual involved would jeopardise the investigation, notably in its early stages.

However, the EDPS is unable to resolve this problem alone. This is because the main issue here concerns the obligations of the companies, who are controllers under the GDPR. As it is the job of national DPAs to supervise adherence with the GDPR within their respective countries, we turned to the European Data Protection Board (EDPB) to follow up on this matter. We hope to have a resolution to the problem as soon as possible.

A framework for covered bonds

Following a request for consultation from the European Commission, the EDPS issued formal Comments on the Proposal for a Directive on the issue of covered bonds and their public supervision.

The aim of the Directive is to establish a common framework for the issuance and the structural features of covered bonds. The harmonisation of covered bonds would include establishing specific public supervision, the use of a European Covered Bonds label and publication obligations for competent authorities in the field of covered bonds.

While the EDPS had no general objection to the proposed Directive, we drew the legislator's attention towards the need for the competent public authorities and private actors to respect the principle of data minimisation when processing personal data. Furthermore, we recommended that additional measures be introduced to ensure compliance with an individual’s right to be informed, as well as the introduction of a maximum retention period for the publication of decisions on the website of the competent authority.

Strengthening the European Border and Coast Guard

Upon request from the European Parliament, the EDPS issued formal comments on the Proposal on the European Border and Coast Guard (EBCG). The Regulation would enhance the executive power and operational capacity of the European Border and Coast Guard Agency (Frontex) by providing it with a standing corps of 10,000 operational staff.

The EDPS made recommendations, including drafting suggestions, on the main open issues relating to data protection. In continuity with our 2016 Opinion on the Proposal to establish the current EBCG Regulation, the EDPS pointed out the need to clearly define the responsibilities of the EBCG, the responsibilities of the Member States and, given increased international cooperation, the responsibilities of international organisations and non-EU countries.

We stated that the Proposal would benefit from a clearer definition of the purposes for which personal data is to be processed. This would make it easier to check on the necessity and proportionality of the data processing activities envisaged under the different scenarios given in the Proposal. Other comments and suggestions concerned transfers of personal data, the EUROSUR cooperation mechanism, and the possibility of restricting the rights and freedoms of the persons concerned in accordance with the conditions and limits laid down under the relevant data protection law.

EDPS Comments

The urgent case for a new ePrivacy law

ePrivacy is the indispensable missing piece of the digital rights jigsaw. Here is why:

1. The GDPR regulates data protection, not the privacy of communications

The adoption of the proposed ePrivacy Regulation is crucial in order to protect the fundamental rights to privacy and the protection of personal data in the digital age. Progress must be made quickly to ensure legal certainty and a level playing field for market operators.

2. GDPR is not enough to change the predominant business model of surveillance

2018 will go down as the year that the world realised that data is not secure and its use brings disadvantages, not just benefits. Data is not secure even when processed by the most technologically advanced and financially-powerful companies on the planet. The Facebook/Cambridge Analytica revelations are still under investigation in Europe and America, but they are only the tip of the iceberg, a sign of a much wider problem and a symptom of many more problems still unnoticed.

3. Not all communications providers are required to give people control over their most intimate data

The GDPR does not address itself specifically to communications or communications data as such. The Commission decided to propose reforms in two steps: first the GDPR, and then ePrivacy. Without ePrivacy rules that apply to all providers of electronic communications, these service providers may argue that there is no need to ask permission, or consent, from individuals to use their most private information.

4. ePrivacy will help fix, not exacerbate, digital market imbalances

The existing ePrivacy rules required national transposing laws which are inevitably divergent in many ways. The GDPR, meanwhile, is directly applicable. Again, it is unfair and economically unsustainable to expect controllers providing electronic communications services to be subject to a patchwork of data rules, some EU-wide, some national.

Data breach notifications: a how-to guide for EU institutions

Under the new Regulation, all EU institutions and bodies have a duty to report certain types of personal data breaches to the EDPS. They must do this within 72 hours of becoming aware of the breach. If there is a high risk that the breach will adversely affect individuals’ rights and freedoms, the EU institution must also inform the individuals concerned without unnecessary delay.

The costs and risks related to a data breach can be significant. Since the first mandatory data breach notification law was passed in California in 2002, the obligation to notify different types of breaches has spread across the world, in response to an increasing number of incidents. This obligation should not only act as a deterrent but also encourage organisations to do everything in their power to prevent breaches from occurring in the first place. The GDPR’s strict requirements on data breach notifications have already demonstrated the positive effects of this approach.

With the new data protection Regulation for EU institutions now in force, the institutions must ensure they have prevention and detection mechanisms in place for personal data breaches, as well as investigation and internal reporting procedures. The new Guidelines provide the necessary practical advice and background for assessing and notifying the EDPS through a new online form, accessible via our website.

What do we learn from Machine Learning?

The history of Artificial Intelligence (AI) can be seen as a sequence of increasing expectations and frustrating disappointments. Unlike the usual hype cycle for new technologies, AI has already experienced several cycles of peaks of inflated expectations and troughs of disillusionment in the sixty years since the first coining of the term artificial intelligence by Stanford professor John McCarthy, considered one of the fathers of AI.

Machine learning has been a central discipline in the field of AI for decades, and the recent progress in this discipline has played a central role in the rise of interest in AI. Taking advantage of progress in computer hardware and software, which has enabled faster operations and the processing of larger amounts of data as well as new storage and communications possibilities, makes it possible to apply machine learning technologies to new and bigger tasks and to advance other disciplines of AI. Natural Language Processing, Image Recognition and all kinds of operations based on data analysis are making significant progress thanks to machine learning.

There are few authorities monitoring the impact of new technologies on fundamental rights so closely and intensively as data protection and privacy commissioners. At the International Conference of Data Protection and Privacy Commissioners, the 40th ICDPPC, we continued the discussion on AI which began in Marrakesh two years ago with a reflection paper prepared by EDPS experts. In the meantime, many national data protection authorities have invested considerable efforts and provided important contributions to the discussion.

We are only at the beginning of this debate. More voices will be heard: think tanks such as CIPL are coming forward with their suggestions, and so will many other organisations.

Only by setting an example in AI and other areas of technological change can we motivate the rest of the world to follow the way of democracy and fundamental rights.

The annual Computers, Privacy and Data Protection (CPDP) conference will take place between 30 January - 1 February at Les Halles de Schaerbeek and Area42 in Brussels. The CPDP conference offers the cutting edge in legal, regulatory, academic and technological development in privacy and data protection. The four day event gathers together academics, lawyers, practitioners, policy-makers, computer scientists and civil society from all over the world to exchange ideas and discuss the latest emerging issues and trends. As in previous years, CPDP2019 offers a compelling and diverse line-up on speakers and panels, helping to make it one of the leading data protection conferences in Europe and around the world.

CDPD2019 adopts “Data Protection & Democracy” as its overarching theme, paving the way for a timely and thorough discussion over a broad range of ethical, legal and policy issues related to new technologies and data analytics. The conference will offer more than 80 panels addressing current debates in the area of information technology, privacy, and data protection.

The preliminary programme for CPDP2019 has been released and the line-up contains excellent panels. Session topics range from blockchain and cross-border access to e-evidence, from big data in healthcare to data protection impact assessments, collective redress, privacy by design, data and elections, predictive policing and much more. CPDP is also an extraordinary networking opportunity to mix and mingle with the privacy and data protection community.

The EDPS is organising two panels as part of the CPDP conference on Thursday, 31 January. The first of which, Checks and Balances in the AFSJ: Rethinking Governance, is to be chaired by Assistant EDPS Wojciech Wiewiorowski, focusing on the governance of information exchange in the field of the AFSJ. Later that day, at Grande Halle, EDPS Giovanni Buttarelli will chair Blurring of the Boundaries between Migration and Security: What Impact on the Rights and Freedoms of Individuals? This panel will explore the legal and societal consequences of enabling large-scale EU databases to communicate and exchange information in response to the migratory crisis and security challenges.